firewall reports issues
« on: December 06, 2007, 07:36:16 AM »
I have version 2.7 standalone

My firewall is reporting issues as follows which concern me. It appears that when the runcrawl.php is run a cron job, it "talks" to IP 83.170.104.103 which is hosted by xml-sitemaps.com

I am not a programmer, just a web site designer, but I wonder if it can be confirmed that there is "no problem" here. I have had a look at runcrawl.php and it is coded, so one can not see what is going on. Is it a "security feature" of the programme to ensure that it is a legit copy, or something like that

Here is an example of an email I receive from my firewall

Time:    Thu Dec  6 07:01:04 2007
PID:     4472
Account: xxx
Uptime:  62 seconds


Executable:

/usr/local/bin/php


Command Line (often faked in exploits):

/usr/local/bin/php /home/xxx/public_html/blog/sitemap/runcrawl.php


Network connections by the process (if any):

tcp: xx.xxx.xxx.xx:60857 -> 83.170.104.103:80


Files open by the process (if any):

/tmp/ZCUDT6Or8S (deleted)
/tmp/sess_9030755ce348fdeafe98ab59f54eb919


Memory maps by the process (if any):

00101000-001dc000 r-xp 00000000 08:05 606729     /usr/X11R6/lib/libX11.so.6.2
001dc000-001e0000 rw-p 000db000 08:05 606729     /usr/X11R6/lib/libX11.so.6.2
001e0000-001e2000 r-xp 00000000 08:05 722250     /usr/local/Zend/lib/ZendExtensionManager.so
001e2000-001e3000 rw-p 00002000 08:05 722250     /usr/local/Zend/lib/ZendExtensionManager.so
00231000-00254000 r-xp 00000000 08:05 521295     /usr/lib/libpng12.so.0.1.2.7
00254000-00255000 rw-p 00022000 08:05 521295     /usr/lib/libpng12.so.0.1.2.7
004aa000-004ae000 r-xp 00000000 08:05 5046316    /lib/libnss_dns-2.3.4.so
004ae000-004af000 r--p 00003000 08:05 5046316    /lib/libnss_dns-2.3.4.so
004af000-004b0000 rw-p 00004000 08:05 5046316    /lib/libnss_dns-2.3.4.so
00625000-00669000 r-xp 00000000 08:05 1081758    /usr/lib/php/extensions/ioncube_loader_lin_4.4.so
00669000-0066e000 rw-p 00043000 08:05 1081758    /usr/lib/php/extensions/ioncube_loader_lin_4.4.so
0085c000-00872000 r-xp 00000000 08:05 5049248    /lib/ld-2.3.4.so
00872000-00873000 r--p 00015000 08:05 5049248    /lib/ld-2.3.4.so
00873000-00874000 rw-p 00016000 08:05 5049248    /lib/ld-2.3.4.so
00876000-0099c000 r-xp 00000000 08:05 5049249    /lib/tls/libc-2.3.4.so
0099c000-0099e000 r--p 00125000 08:05 5049249    /lib/tls/libc-2.3.4.so
0099e000-009a0000 rw-p 00127000 08:05 5049249    /lib/tls/libc-2.3.4.so
009a0000-009a2000 rw-p 009a0000 00:00 0
009a4000-009a6000 r-xp 00000000 08:05 5049252    /lib/libdl-2.3.4.so
009a6000-009a7000 r--p 00001000 08:05 5049252    /lib/libdl-2.3.4.so
009a7000-009a8000 rw-p 00002000 08:05 5049252    /lib/libdl-2.3.4.so
009aa000-009cb000 r-xp 00000000 08:05 5049254    /lib/tls/libm-2.3.4.so
009cb000-009cc000 r--p 00020000 08:05 5049254    /lib/tls/libm-2.3.4.so
009cc000-009cd000 rw-p 00021000 08:05 5049254    /lib/tls/libm-2.3.4.so
009cf000-009de000 r-xp 00000000 08:05 512571     /usr/lib/libz.so.1.2.1.2
009de000-009df000 rw-p 0000e000 08:05 512571     /usr/lib/libz.so.1.2.1.2
009e1000-009e6000 r-xp 00000000 08:05 5049258    /lib/libcrypt-2.3.4.so
009e6000-009e7000 r--p 00004000 08:05 5049258    /lib/libcrypt-2.3.4.so
009e7000-009e8000 rw-p 00005000 08:05 5049258    /lib/libcrypt-2.3.4.so
009e8000-00a0f000 rw-p 009e8000 00:00 0
00a11000-00a1f000 r-xp 00000000 08:05 606797     /usr/X11R6/lib/libXpm.so.4.11
00a1f000-00a20000 rw-p 0000e000 08:05 606797     /usr/X11R6/lib/libXpm.so.4.11
00a35000-00a48000 r-xp 00000000 08:05 5049257    /lib/libnsl-2.3.4.so
00a48000-00a49000 r--p 00012000 08:05 5049257    /lib/libnsl-2.3.4.so
00a49000-00a4a000 rw-p 00013000 08:05 5049257    /lib/libnsl-2.3.4.so
00a4a000-00a4c000 rw-p 00a4a000 00:00 0
00a4e000-00a5d000 r-xp 00000000 08:05 5046397    /lib/libresolv-2.3.4.so
00a5d000-00a5e000 r--p 0000f000 08:05 5046397    /lib/libresolv-2.3.4.so
00a5e000-00a5f000 rw-p 00010000 08:05 5046397    /lib/libresolv-2.3.4.so
00a5f000-00a61000 rw-p 00a5f000 00:00 0
00a86000-00a93000 r-xp 00000000 08:05 606754     /usr/X11R6/lib/libXext.so.6.4
00a93000-00a94000 rw-p 0000c000 08:05 606754     /usr/X11R6/lib/libXext.so.6.4
00a96000-00ad6000 r-xp 00000000 08:05 514885     /usr/lib/libmysqlclient.so.14.0.0
00ad6000-00bc8000 rw-p 0003f000 08:05 514885     /usr/lib/libmysqlclient.so.14.0.0
00bc8000-00bca000 rw-p 00bc8000 00:00 0
00c37000-00c54000 r-xp 00000000 08:05 519168     /usr/lib/libjpeg.so.62.0.0
00c54000-00c55000 rw-p 0001c000 08:05 519168     /usr/lib/libjpeg.so.62.0.0
00c57000-00c60000 r-xp 00000000 08:05 5049255    /lib/libgcc_s-3.4.6-20060404.so.1
00c60000-00c61000 rw-p 00009000 08:05 5049255    /lib/libgcc_s-3.4.6-20060404.so.1
00ca6000-00d66000 r-xp 00000000 08:05 512583     /usr/lib/libstdc++.so.6.0.3
00d66000-00d6b000 rw-p 000bf000 08:05 512583     /usr/lib/libstdc++.so.6.0.3
00d6b000-00d71000 rw-p 00d6b000 00:00 0
00dd1000-00eb2000 r-xp 00000000 08:05 754753     /usr/local/Zend/lib/Optimizer-3.2.2/php-4.4.x/ZendOptimizer.so
00eb2000-00ebf000 rw-p 000e1000 08:05 754753     /usr/local/Zend/lib/Optimizer-3.2.2/php-4.4.x/ZendOptimizer.so
00ebf000-00ec3000 rw-p 00ebf000 00:00 0
00fad000-00fb6000 r-xp 00000000 08:05 5046340    /lib/libnss_files-2.3.4.so
00fb6000-00fb7000 r--p 00008000 08:05 5046340    /lib/libnss_files-2.3.4.so
00fb7000-00fb8000 rw-p 00009000 08:05 5046340    /lib/libnss_files-2.3.4.so
08048000-08186000 r-xp 00000000 08:05 521986     /usr/local/bin/php
08186000-081b6000 rw-p 0013e000 08:05 521986     /usr/local/bin/php
081b6000-081cf000 rw-p 081b6000 00:00 0 09263000-09346000 rw-p 09263000 00:00 0 b7e9e000-b7eb6000 rw-p b7e9e000 00:00 0 b7edb000-b7edd000 rw-p b7edb000 00:00 0
b7edd000-b7f5d000 rw-s 00000000 00:06 9961484    /SYSV00000000 (deleted)
b7f5d000-b7f62000 rw-p b7f5d000 00:00 0 bff82000-bff98000 rwxp bff82000 00:00 0 bff98000-c0000000 rw-p bff98000 00:00 0 ffffe000-fffff000 ---p 00000000 00:00 0

thanks
Peter
Re: firewall reports issues
« Reply #1 on: December 07, 2007, 01:15:56 AM »
Hello,

yes, this is only a security measure to make sure that the copy is legal. You can trace that http request to confirm that.
Re: firewall reports issues
« Reply #2 on: December 07, 2007, 02:26:47 AM »
thank you for your advice. I thought as much, and dont have a problem with it. It is nice to receive confirmation

Peter